Infosec and things.

Setting Up AlienVault’s OSSIM

Note: I am not being endorsed inany way by AlienVault. I just really
like their product OSSIM.

Intro

AlienVault’s open source SIEM (Security Information and Event Manager) OSSIM is a fantastic tool for a number of different reasons. Not least of which is that it’s, as stated, open source. Now of course we all love free stuff, but think about this for a second. A for-profit company like AlienVault actually took the time to take one of their main products, USM, and tweak it and make it open source and share it with everyone. And OSSIM has a ton of great features (check out their website that make it really easy for even one person to start managing the security of a whole company. That’s a pretty great thing for them to do. Let’s look at some use cases that, because OSSIM is open source and freely available for you and I to use, we can utilize the power of a SIEM.

It’s an amazing learning tool for newbies or people just trying things out.

Have a full IDS for your home without paying a dime

Side note, IDSs are typically very expensive. AlienVault’s USM starts at $5,000. Not bad at all for enterprise, but ridiculous for home use trying to guard 5 – 10 systems.

Proof of Concept for using an IDS at work

I’m going to talk briefly about the last bullet for a moment because that’s how I got started on OSSIM. One of my managers said to me a while back that no one will argue with you that security is important. What they will argue with you about is the cost of these tools, the cost of dedicating engineers to run these tools, the cost of a dedicated security team, etc.

Now if you already work as a full time infosec specialist (and if you do, I’m jealous), congratulations because a lot of the business-case justification is done for you. All you need to argue is the cost of the tool. However, myself and many others aren’t so lucky. That’s why I really like OSSIM. I can spin OSSIM up on a server I have available, configure it, and start generating meaningful reports, vulnerability assessments, and warn other employees (sometimes high-level ones, even), that there’s suspicious traffic on the network, before anyone really notices what you’re doing.

To be clear, I am not saying to go behind people’s backs! When I did this myself, several people knew I was working on this and a few of them helped me out as well. But I didn’t need to prove a business case for it yet. It was free and the time I spent was, overall, minimal, since many of the vulnerability reports and analysis I did was off the clock in my free time anyway.

Alright, on to the guide!

This documentation goes over how to create a virtual machine using KVM on Ubuntu 14.04 LTS Server and install OSSIM

Step-by-step guide

This is best done from a Linux system.

If done on a Mac, you need to first install X11/XQuartz. A VM running Ubuntu Desktop in Mac works just as well.

If done on a Windows system… I am so sorry for you. (But really, just use a Linux VM in VirtualBox or something.)

The reason for this is we’ll be using virt-manager, a graphical tool for setting up VMs in KVM. (Trust me, it’s just easier.)

I won’t go through setting up Ubuntu Server in this, but if you’ve ever installed Ubuntu before, it’s not hard.

Allocate RAM and CPU cores. Suggested specs can be found here. Click “Forward”

Allocate space for a virtual hard drive. Click “Forward”

Review VM resource specs and click Finish.

Once the ISO boots, continue through the OSSIM Installer:

Select the correct Language, Location, and TimeZone.

Set the Root password

Provide the IP address for the system

Wait for the system to install

After the system is done installing, pull up a web browser and go to the IP address (https://192.168.x.x) you assigned OSSIM.
Pretty much everything after this will be done via OSSIM’s web interface. There will be an easy to navigate set up wizard that will get you finished and working in OSSIM.

And that’s it!

You now have OSSIM up and running on your network! If you are curious about how to really start utilizing OSSIM, AlienVault has a great resource area with webinars that can teach you how to get the most out of your new SIEM.

Questions? Comments? Leave me a note below and I’ll be happy to help (if I can!)